The Odido dataset is public. It has been downloaded thousands of times. It is sitting on criminal infrastructure, indexed, searchable, and available to anyone willing to look.
If you were an Odido customer — including a decade ago — your personal data is likely in it. The dataset covers millions of individuals and 600,000 companies. Former customers who cancelled years ago are in it. People who never received a notification are in it.
This article is not about what happened. It is about what the exposure enables, and what closes it.
What Was Taken — And Why It Matters
The Odido dataset contains full legal names, home addresses, dates of birth, email addresses, phone numbers, IBAN numbers, and national identity document numbers — including passports and residence permits with validity dates. It also contains internal customer service notes: payment arrangements, fraud flags, guardian designations, and account histories.
That combination is not a typical data breach. It is an identity dossier. The fields that leaked — IBAN, full name, date of birth, national ID number — are exactly what financial institutions, telecoms, and government services use to verify identity. An attacker with this data does not need to guess. They already have the answers.
The fraud is already running. Reports to the Central Identity Fraud Reporting Point more than doubled in the weeks following the full data release, with 590 confirmed cases tied to the breach. Fake compensation portals appeared within 24 hours. SIM-swap attempts followed. This is an active threat environment, not a future risk.
Verify Whether You Are Exposed
The Dutch police verification tool at “Checkjehack” confirms whether your details appeared in the breach. Have I Been Pwned has indexed the full dataset.
Even if neither returns a match, that is not a guarantee. These tools search known published fields. They do not cover downstream copies or derived datasets. If you were ever an Odido customer, the safer assumption is that your data is compromised.
Lock Your Email First
Your email address is the master key. Every service you use — bank, insurer, government portal — routes password resets and verification through it. If criminals have your name, date of birth, and IBAN, taking your email account is the logical next move.
Enable two-factor authentication using an authenticator app, not SMS. SIM-swap attacks are already running against Odido victims, which makes SMS verification codes unreliable. If your provider supports a hardware security key, use one.
Change your email password to something long and unique to that account. If you reuse that password anywhere else, change those too. The Odido data gives attackers enough context to make credential-stuffing attempts significantly more targeted.
Flag Your Bank
Call your bank using the number on the back of your card or from their official app. Not through a link. Not through a search result.
Tell them you were in the Odido breach. Ask about recent activity you did not authorise. Ask whether any change requests — address updates, new card orders, direct debit amendments — have come through. Some banks will add a manual verification step to account changes on request.
The IBAN numbers in the Odido dataset are sufficient to set up fraudulent direct debits under SEPA rules. You do not need to initiate a transaction for money to leave your account.
Watch for Approaches, Not Just Transactions
The most dangerous attacks that follow a breach like this are not automated. They are personal.
Criminals with your name, address, date of birth, phone number, and IBAN can call you and sound legitimate. They can reference real account details. The internal customer service notes leaked in this breach — payment arrangements, guardian designations, fraud flags — allow attackers to craft impersonation attempts that would fool most people. They can pose as Odido, your bank, your insurer, the “Belastingdienst”, the police.
Any contact initiated toward you — by phone, email, SMS, or post — asking you to verify details, click a link, approve a transaction, or provide additional information should be treated as suspect until independently verified. Do not trust caller ID. Do not click links in breach-related emails. If someone contacts you claiming to be from your bank or from Odido, hang up and call back on a number you find yourself.
Fake compensation websites have already appeared. One — odidoschadeschade.nl — charged victims €49.99 to “join a mass claim,” contained fabricated breach details, and was flagged by the “Consumentenbond” as a scam within hours. If you are considering legal action, do so only through a verified law firm you have independently identified.
The Layering Problem
The Odido data does not sit in isolation. It joins whatever was already publicly available about you: people-search listings, data broker profiles, social media footprints, address records, company filings, and any previous breach data linked to your email or phone number.
When criminals work breach victims, they do not use one dataset. They layer. Your Odido record gets combined with everything else findable about you to build a fuller profile. The richer the profile, the more convincing the impersonation, the more targeted the fraud.
This is the part most breach guidance skips: the Odido dataset is not the whole problem. It is the newest addition to whatever was already out there. Understanding the full picture requires knowing what else is exposed — not just what Odido lost.
Higher-Risk Categories
The steps above apply to everyone. Some situations demand more.
If your credentials were compromised independently — through a corporate breach, password reuse, or unexplained account access — the Odido data compounds the risk. Credential pairs from dark web forums and prior breaches may already link your identity to a working login. That exposure needs to be mapped, not guessed at.
If you are an executive, public figure, or professional whose home address and identity documents are particularly sensitive: RTL and Follow the Money confirmed that the Odido dataset contains personal data of four sitting government ministers, three individuals under active state protection, and employees of ASML, NXP, Philips, and Thales. If ministers and intelligence staff were exposed without targeted notification, your exposure may be equally unacknowledged.
If you are already experiencing unusual contact — scam calls, unfamiliar login attempts, strangers who seem to know things about you — the threat is no longer theoretical. It is active.
The Window
Breach risk concentrates in the weeks and months after a dataset goes public, when criminal actors are actively working the data and most victims have not yet responded. That window does not stay open indefinitely, but it is open now.
The steps in this article are free and immediate. The harder work — mapping your full exposure across data brokers, dark web sources, and breach databases, then systematically removing what can be removed — takes more effort. But starting with the basics costs nothing, and delay compounds the risk.
If you want to know what a search like this returns about you, a Snapshot Scan will tell you. Get in touch